bugzilla-daemon at mindrot.org
2005-Nov-05 04:20 UTC
[Bug 1113] Add Interix authentication support
http://bugzilla.mindrot.org/show_bug.cgi?id=1113
Summary: Add Interix authentication support
Product: Portable OpenSSH
Version: 4.2p1
Platform: Other
OS/Version: other
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: tv at pobox.com
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Nov-05 04:22 UTC
[Bug 1113] Add Interix authentication support
http://bugzilla.mindrot.org/show_bug.cgi?id=1113 ------- Comment #1 from tv at pobox.com 2005-11-05 15:22 ------- Created an attachment (id=1021) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1021&action=view) Support for Interix in configure, and authentication support Interix authentication is a very interesting beast. Attached are diffs to add an autoconf block for Interix, as well as the necessary authentication bits to make sshd build for non-privsep usage. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Nov-05 04:31 UTC
[Bug 1113] Add Interix authentication support
http://bugzilla.mindrot.org/show_bug.cgi?id=1113
tv at pobox.com changed:
What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |1114
nThis| |
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Nov-05 05:11 UTC
[Bug 1113] Add Interix authentication support
http://bugzilla.mindrot.org/show_bug.cgi?id=1113 ------- Comment #2 from dtucker at zip.com.au 2005-11-05 16:11 ------- (From update of attachment 1021)>+#ifdef HAVE_INTERIX >+ result = (!setuser(pw->pw_name, password, SU_CHECK); >+#else > result = sys_auth_passwd(authctxt, password); >+#endifThis is exactly the kind of thing the sys_auth_passwd abstraction is designed to avoid. The correct way to do this is to implement your own sys_auth_passwd() and define CUSTOM_SYS_AUTH_PASSWD.>+#ifndef HAVE_INTERIX > case ' ': >+#endifWhy this change?>+# if !defined(HAVE_INTERIX) > /* Initialize the group list. */ > if (initgroups(pw->pw_name, pw->pw_gid) < 0) { > perror("initgroups"); > exit(1); > } >+# endif /* !HAVE_INTERIX */Does Interix have initgroups()? If not, just implement initgroups() as a null function that just returns zero. Ditto setgroups.>+#ifdef HAVE_INTERIX >+ use_privsep = 0; >+#else > use_privsep = 1; >+#endifWhy doesn't privsep work? Does defining DISABLE_FD_PASSING make preauth privsep work? (That's what Cygwin and a number of other platforms do.) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Nov-05 15:42 UTC
[Bug 1113] Add Interix authentication support
http://bugzilla.mindrot.org/show_bug.cgi?id=1113 ------- Comment #3 from tv at pobox.com 2005-11-06 02:42 -------> >+#ifdef HAVE_INTERIX > >+ result = (!setuser(pw->pw_name, password, SU_CHECK); > >+#else > > result = sys_auth_passwd(authctxt, password); > >+#endif > > This is exactly the kind of thing the sys_auth_passwd abstraction is designed > to avoid. The correct way to do this is to implement your own > sys_auth_passwd() and define CUSTOM_SYS_AUTH_PASSWD.Will do, and will resubmit patch at that time.> >+#ifndef HAVE_INTERIX > > case ' ': > >+#endif > > Why this change?Interix users and groups are allowed to have spaces in them. (This is because Interix is a Unix layer on top of Windows, similar to Cygwin but working at a much lower NT level.)> >+# if !defined(HAVE_INTERIX) > > /* Initialize the group list. */ > > if (initgroups(pw->pw_name, pw->pw_gid) < 0) { > > perror("initgroups"); > > exit(1); > > } > >+# endif /* !HAVE_INTERIX */ > > Does Interix have initgroups()? If not, just implement initgroups() as a null > function that just returns zero. Ditto setgroups.OK, will do. There used to be a no-op setgroups() that was used for Cygwin too, but it disappeared early in 2005. I'll have to track back to find which portable release had it last, and merge it back in.> >+#ifdef HAVE_INTERIX > >+ use_privsep = 0; > >+#else > > use_privsep = 1; > >+#endif > > Why doesn't privsep work? Does defining DISABLE_FD_PASSING make preauth > privsep work? (That's what Cygwin and a number of other platforms do.)I can't remember why this was here, but last time I looked, DISABLE_FD_PASSING wasn't enough. I'll check again and resubmit. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Nov-06 07:50 UTC
[Bug 1113] Add Interix authentication support
http://bugzilla.mindrot.org/show_bug.cgi?id=1113 ------- Comment #4 from dtucker at zip.com.au 2005-11-06 18:50 ------- Created an attachment (id=1027) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1027&action=view) add null implementations of initgroups and setgroups Since these might be shared, they belong in a common file. Anything Interix specific (eg the sys_auth_passwd implementation) should go into a "port-interix.c" or similar. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.